simon/nixos-config
simon/nixos-config
1
1
Fork 0
Code Issues 8 Pull requests Actions Projects Activity

restic: Prepare for additional backups

Browse source
This commit is contained in:
Simon Bruder 2024-08-22 16:13:13 +02:00
parent 7a72bf8b0d
commit 50823a746e
Signed by: simon
GPG key ID: 347FF8699CDA0776
11 changed files with 123 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
machines/fuuko/configuration.nix
View file

@ -19,20 +19,23 @@
wireguard.home.enable = true;
nginx.hardening.enable = true;
printing.server.enable = true;
restic.system = {
restic = {
enable = true;
qos = true;
extraPaths = [
"/data"
];
extraExcludes = [
"/data/cold/media/video"
"/data/cold/misc"
"/data/cold/torrent"
"/data/hot/torrent"
"/data/media/video"
"/data/torrent"
];
backups.system = {
enable = true;
qos = true;
extraPaths = [
"/data"
];
extraExcludes = [
"/data/cold/media/video"
"/data/cold/misc"
"/data/cold/torrent"
"/data/hot/torrent"
"/data/media/video"
"/data/torrent"
];
};
};
unfree.allowSoftware = true;
};

2
machines/fuuko/services/photoprism.nix
View file

@ -13,7 +13,7 @@
};
};
sbruder.restic.system.extraExcludes = [
sbruder.restic.backups.system.extraExcludes = [
"/var/lib/private/photoprism"
];

5
machines/hiroshi/configuration.nix
View file

@ -12,7 +12,10 @@
sbruder = {
full = false;
restic.system.enable = true;
restic = {
enable = true;
backups.system.enable = true;
};
wireguard.home.enable = true;
infovhost.enable = true;
nginx = {

13
machines/hitagi/configuration.nix
View file

@ -19,12 +19,15 @@
gui.enable = true;
media-proxy.enable = true;
podman.enable = true;
restic.system = {
restic = {
enable = true;
qos = true;
extraPaths = [
"/data"
];
backups.system = {
enable = true;
qos = true;
extraPaths = [
"/data"
];
};
};
unfree.allowSoftware = true;
wireguard.home.enable = true;

5
machines/koyomi/configuration.nix
View file

@ -12,7 +12,10 @@
];
sbruder = {
restic.system.enable = true;
restic = {
enable = true;
backups.system.enable = true;
};
wireguard.home.enable = true;
podman.enable = true;
};

7
machines/mayushii/configuration.nix
View file

@ -19,9 +19,12 @@
gui.enable = true;
media-proxy.enable = true;
podman.enable = true;
restic.system = {
restic = {
enable = true;
qos = true;
backups.system = {
enable = true;
qos = true;
};
};
unfree.allowSoftware = true;
wireguard.home.enable = true;

7
machines/nunotaba/configuration.nix
View file

@ -13,9 +13,12 @@
sbruder = {
gui.enable = true;
restic.system = {
restic = {
enable = true;
qos = true;
backups.system = {
enable = true;
qos = true;
};
};
unfree.allowSoftware = true;
wireguard.home.enable = true;

5
machines/renge/configuration.nix
View file

@ -27,9 +27,10 @@
sbruder = {
nginx.hardening.enable = true;
restic.system = {
restic = {
enable = true;
prune = true;
backups.system.enable = true;
prune.enable = true;
};
wireguard.home.enable = true;
infovhost.enable = true;

5
machines/vueko/configuration.nix
View file

@ -17,7 +17,10 @@
sbruder = {
nginx.hardening.enable = true;
restic.system.enable = true;
restic = {
enable = true;
backups.system.enable = true;
};
wireguard.home.enable = true;
full = false;
infovhost.enable = true;

71
modules/restic/default.nix
View file

@ -1,9 +1,78 @@
# SPDX-FileCopyrightText: 2020-2021 Simon Bruder <simon@sbruder.de>
# SPDX-FileCopyrightText: 2020-2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
cfg = config.sbruder.restic;
sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
sftpPort = 23;
repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
mkPruneConfig = { tag, timerConfig }: {
inherit repository timerConfig;
passwordFile = config.sops.secrets.restic-password.path;
paths = [ ];
extraOptions = [
"-o"
"sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
];
pruneOpts = [
"--compression auto"
"--keep-daily 7"
"--keep-monthly 12"
"--keep-weekly 5"
"--keep-yearly 10"
"--tag ${tag}"
"--verbose"
];
};
in
{
imports = [
./system.nix
];
options.sbruder.restic = {
enable = lib.mkEnableOption "restic";
authScript.enable = (lib.mkEnableOption "script to use restic as user without dealing with authentication") // {
default = cfg.enable && config.sbruder.gui.enable;
};
prune.enable = lib.mkEnableOption "pruning";
};
config = lib.mkIf cfg.enable (lib.mkMerge [
{
sops.secrets = {
restic-password = { };
restic-repository = { };
};
}
(lib.mkIf cfg.authScript.enable {
environment.systemPackages = [
(pkgs.writeShellScriptBin "restic-auth" ''
${pkgs.restic}/bin/restic \
--password-command="pass data/backup/restic-nixos" \
--repo "${repository}" \
$@
'')
];
})
(lib.mkIf cfg.prune.enable {
sops.secrets.restic-ssh-key = {
sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
};
services.restic.backups = {
system-prune = mkPruneConfig {
tag = "system";
timerConfig = {
OnCalendar = "*-1/2-07 03:00:00";
RandomizedDelaySec = "4h";
};
};
};
})
]);
}

54
modules/restic/system.nix
View file

@ -4,11 +4,8 @@
{ pkgs, config, lib, ... }:
let
cfg = config.sbruder.restic.system;
cfg = config.sbruder.restic.backups.system;
sftpTarget = "u313368-sub4@u313368-sub4.your-storagebox.de";
sftpPort = 23;
repository = "sftp://${sftpTarget}:${toString sftpPort}/personal";
excludes = [
# Caches
"/home/*/Downloads/"
@ -37,14 +34,6 @@ let
] ++ cfg.extraExcludes;
excludesFile = pkgs.writeText "excludes.txt" (lib.concatStringsSep "\n" excludes);
# script to use restic as user without dealing with authentication
authScript = pkgs.writeShellScriptBin "restic-auth" ''
${pkgs.restic}/bin/restic \
--password-command="pass data/backup/restic-nixos" \
--repo "${repository}" \
$@
'';
# HACK: NixOS nftables implementation runs nft -c inside the build sandbox,
# where the target hosts cgroups are not available,
# and therefore fails.
@ -65,8 +54,8 @@ let
'';
in
{
options.sbruder.restic.system = {
enable = lib.mkEnableOption "restic";
options.sbruder.restic.backups.system = {
enable = lib.mkEnableOption "restic system backup";
timerConfig = lib.mkOption {
type = with lib.types; attrsOf str;
default = {
@ -88,19 +77,9 @@ in
default = null;
};
qos = (lib.mkEnableOption "QoS marking (DSCP AF12) of outgoing packets") // { default = !(isNull cfg.uploadLimit); };
prune = lib.mkEnableOption "pruning";
};
config = lib.mkIf cfg.enable {
sops.secrets = {
restic-password = { };
restic-repository = { };
} // lib.optionalAttrs cfg.prune {
restic-ssh-key = {
sopsFile = ../../machines/${config.networking.hostName}/secrets.yaml;
};
};
services.restic.backups.system = {
inherit (cfg) timerConfig;
repositoryFile = config.sops.secrets.restic-repository.path;
@ -134,32 +113,5 @@ in
"IOSchedulingPriority" = 7;
Slice = "restic.slice";
};
services.restic.backups.system-prune = lib.mkIf cfg.prune {
inherit repository;
passwordFile = config.sops.secrets.restic-password.path;
timerConfig = {
OnCalendar = "*-1/2-07 03:00:00";
RandomizedDelaySec = "4h";
};
paths = [ ];
extraOptions = [
"-o"
"sftp.command='ssh -i ${config.sops.secrets.restic-ssh-key.path} -p ${toString sftpPort} ${sftpTarget} -s sftp'"
];
pruneOpts = [
"--compression auto"
"--keep-daily 7"
"--keep-monthly 12"
"--keep-weekly 5"
"--keep-yearly 10"
"--tag system"
"--verbose"
] ++ lib.optional (cfg.uploadLimit != null) "--limit-upload=${toString cfg.uploadLimit}";
};
environment.systemPackages = [
authScript
];
};
}